Next-generation IAM systems will build a unified view of user identities
Next 12-18 months will see tipping point in adoption rate amongst enterprises
AS more enterprises take up bring-your-own-device (BYOD) initiatives amidst the continuing shift toward cloud computing, identity management has come to forefront of security concerns.
The employee has become the new frontline in the perpetual war against cyber-attacks, and IT departments are increasingly focused on how to not only enable secured remote access to corporate information across multiple devices, but also to ensure that access is granted to the correct user.
However with the rise of a borderless enterprise with more devices now outside the direct control of IT administrators, it is no longer reasonable to simply assume that merely the right password means it is indeed the right person.
Speaking to Digital News Asia (DNA) at the RSA Conference Asia Pacific recently held in Singapore, Avi Rosen (pic), director of the Online Threats Managed Services Group for RSA, noted that strong identity protection and verification of the user was no longer enough.
“Last time, once users were verified, they were granted access to everything, with no monitoring of their activities once they were on the network. Today that cannot be the case, as an attacker can loop in to the network by piggybacking on someone’s account,” he said.
He added that enterprises now needed to incorporate certain mechanisms to monitor a user’s activity and manage access in a segmented and restricted manner, and not look at someone with the correct access protocols as a given.
“A change needs to be made. It’s like putting a strong lock on a door and once it’s open, it’s open. You now need to add an alarm system as part of an overall security strategy,” he said.
To help address this evolving threat, RSA, the security division of EMC Corporation, is advocating an adaptive approach toward Identity and Access Management (IAM) to support the growing number of users, partners and cloud services that are accessing corporate resources from endpoint devices and applications that are outside the corporate network.
Tim Belcher (pic), chief technology officer for RSA, said that some of the most exciting work the company is doing is in this space.
“The nexus has to be the person; it’s no longer the same world where we are defined by where we work or live. We are increasingly defined by our digital identities,” he said.
“We need to restore and create a new identity system that will significantly impact the way security is designed, and I think we have a role to play there,” he added.
Manoj Nair, senior vice president of products, Identity Trust Management & RSA Product Strategy, said that the company’s solution was driven by its extensive experience in providing consumer-side identity management for commercial banks.
“That's something most people don’t know about us -- we have been in the identity space for the last eight years after we acquired PassMark Security in 2005, and today manage half a billion identities for over 8000 banks globally,” he said.
In March, RSA launched its newest authentication solution, RSA Authentication Manager (AM) 8.0, which has reportedly been well received by the market.
Research firm Gartner ranked the solution in a leadership position in its 2013 Magic Quadrant for User Authentication, noting that RSA is still the vendor most often cited as the competitor to beat by the others included in this research.
However, it also reported that reference customers were critical of the lack of customisable reporting capabilities of RSA AM8, and while RSA is the vendor most often cited in inquiries, the majority of those inquiries ask about which methods and vendors offer lower TCO (total cost of ownership) and better UX (user experience) than RSA SecurID hardware tokens.
According to Gartner, some of the other vendors' reference customers cited price as a reason for spurning RSA. However, sometimes clients (including RSA customers) are not aware that RSA offers lower-TCO phone-as-a-token authentication methods.
According to Manoj, the company took key takeaways from its work in the consumer space such as ease of use and simplicity, combining them with enterprise standards of identity management such as two-factor authentication to create its big data analytics-driven IAM solution.
“It's not just about authentication though; it’s about authorisation as well. How do you ensure trusted interactions? It’s not about offering access to everything, but rather making the process more intelligent and determining what user needs in an on-going continual evaluation of risk conducted in a more logical, contextual fashion,” he added.
In Manoj's view, next-generation IAM systems, much like RSA’s own offering, will build a unified view of user identities; scale to the growing numbers of users coming from cloud and mobile platforms; and provide better detection of fraudulent and malicious attempts to access corporate resources – all with minimal disruption to legitimate user activity.
Rosen also noted that the problem of managing identities is only going to get much bigger and the challenge becomes how enterprises look at the huge amount of data being generated and identifying those anomalies within a user’s activities.
RSA is predicting that Adaptive IAM technology will be a core component of intelligence-driven security programs in the future, helping organisations protect valuable enterprise information and identities across a blend of trusted and untrusted IT infrastructures.
Next page: The key to using new locks